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REMARKS 

The Applicants and the undersigned thank Examiner Sou for his careful review of this 
application. After entiy of this Amendment, Claims 1-59 arc pending in the present application, 
with Claims 1, 16, 27, 34, and 49 being indepeodtul. Applicant* have amended Claims 1,16, 
27, 34, and 49 herein. The Applicants believe that no new matter has been added to this 
application. 

Consideration ol" the present application is respectfully requested in light of the above 
amendments to the application and in view of Ike following remarks 
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Claim Rejections 

in the Office Action dated June M, 2005, the Examiner rejected Claims 1-11, 15-22, 24- 
44, 46-55, and 57-59 under 35 TJ.S.Q §102(e) as being anticipated by Hill, U.S. Patent No. 
6,UXK,K04. Furthermore, the Examiner rejected Claims 12, 23, 45, and 56 under 35 U.S.C. § 
1 03(a) as being unpatentable over Hill. 

The Applicants respectfully offfers remarks to traverse these rejections. The Applicants 
will address each independent claim separately as the Applicants believes that each independent 
claim is separately patentable over the prior art of record. 
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Independent Claim 1 

The rejection of Claim 1 is respectfully traversed. It is respectfully submitted that the 
Hfll reference fails to describe, teach, or suggest the combination of: (1 ) gwwnilmg a plurality of 
alerts with a plurality of security devices at a first location; (2) providing one or more variables 
operable fin* analyzing and filtering .security event data, the variable* rximpriRing at least one of a 
location of a security event, a source of security event, a destination address of the security 
event, a security event type, a priority of a security event, and an identification of a system that 
detected a security event; f3) creating scope criteria by selecting one or more of the variables 
operable for analyzing and filtering security event data, the security event data comprising the 
plurality of alerts; (4) collecting the security event data generated by the plurality of security 
devices located at the first location; (5) storing the collected security event data at a second 
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location; (6) analyzing and filtering the collected security event data with the scope criteria to 
produce result data; (7) transmitting the result data to one or more clients; and (8) displaying the 
result data comprising filtered alerts based on the scope criteria., as recited in amended 
independent Claim 1. 

The Hill Reference 

The Hill reference describes a dynamic network security system (20) that responds to a 
security attack on a computer network (22) having a multiplicity of computer nodes (24). The 
security system (20) includes o plurality of security agents (36) that concurrently detect 
occurrences of security event* «wi Hxsuuiairil computer nudes (24). A processor (40) processes the 
security events that ore received from the security agents (36) to form an attack signature of the 
attack. A network status display (42) displays multi-dimensional attack status information 
representing the attack in a two dimensional image to indicate the overall nature and severity of 
the Httanlc. Skb Figure 1 «rtlieHill system reproduced below. 
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As shown in Figure 3 of the Hill reference below, a database (48) maintains simulated 
attack information tor a plurality of simulated attacks (52). Each of the simulated attacks (52) is 
a prediction of hll attack type Hint may occur on network. (22). Simulated attack* (52) arc 
generated by an operator and stored in database (4H). -Bach simulated attack (52) contains a 
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training signature (53) that is defined by a plurality of security events (50) of at least one security 
event lyne (56). Security events (50) are presented in database (48) in a column (58) as a 
percentage of security events per event type/ 

In addition to security event types (56) and percentage of security events (50) per event 
type (58), training signatures (53) include location identifiers (60) and attack severity (61), which 
is a ltwftl of security breach that one of simulated attacks (52) could cause computer network 
(22) t with a greater attack severity (61) causing more damage. The attack severity (61) is based 
on llie complexity of computer networks having thousands of nodes, where certain related nodes 
that are affected by simulated attacks (52) may result in greater overall negative impact or 
security breach to computer network (22) thus increasing the severity of simulated attacks (52). 
Therefore, the attack severity (61) &m hf? calegnri/Htl in many different fornix biLsal mi the 
number of nodes they affect for each of the simulated attacks (52). 
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As shown in Figure 7 of the Hill reference below, a network status display (42) digplays 
multi-dimensional attack status information presenting a current attack in a two dimensional 
image to indicate the overall nature end seventy of the attack. The network status display (42) 
presents a display map (66) and an -attack slain* mfunnation list (108) showing security event 
type (56) and location identifiers (60 for on example attack (92). The network staius display (42) 
also presents an attack signature lug (1 10) which provides current and historical perspective on a 
given attack record at various sample times. The attack signatures in log (110) are the text 
equivalent of the two dinieusiuiial iutfgft as highlighted in display map (66). in addition* the 
network status display (42) includes an attack mitigation list (112) which is a catalogue of 
actions that a network manager may take in order to mitigate the example attack (92). 




The Hill reference foils to teach providing one err mnre variahles nperahle for analyzing 
and filtering security event data, the variables comprising at least one of a location of a security 
event, a source of security event, a destination address of the security event, a security event 
type, a priority of a security event and an identification of a system that detected a security 
event; and creating scope uitwia by selecting one in* mure of the variables upeiable foi 
analyzing and filtering security event data; as recited in amended independent Claim 1. 
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la light of the differences between amended independent Claim 1 and the Hill reference, 
erne of ordinary fildll in Tbe art recognizes that the Hill reference Tails to describe, teach, 01 
suggest the recitations as set forth in amended independent Claim 1. Accordingly, 
reconsiderarion and withdrawal of this rejection are respectfully requested. 

Independent Claim 16 

The rejection of Claim 16 is respectfully traversed. It is respectfully submitted that the 
Hill reference fails to describe, teach, or suggest the combination of (1) geoewfijig a plurality of 
alerts with the plurality of security devices at a first location; (2) providing one or more variables 
operable fi*r analyzing ami filtering security event data, Lite variables comprising at least one of a 
location of a security event, a source of security event, a destination address of the security 
emut, a security event type, a priority of a security event, and an identification of a system that 
detected a security event; (3) creating scope criteria by selecting one or more of the variables 
operahle -for analyzing and filtering security event data, the security event data comprising the 

plurality of alette; (4) collecting security event data at a second location; (5) applying the scope 
criteria to the security event data at a third location to produce result data (6) transmitting the 
result data to one or more clients; and (7) displaying the result data comprising filtered alerts 
based on the scope criteria, as recited in amended independent Claim Ifi. 

Similar to the analysis of independent Claim 1, the Hill reference fails to teach providing 
one or more variables operable for analyzing and filtering security event data, the variables 
comprising at least one of a location of a security event, a source of security event, a destination 
address of flic security event, a security event type, a priority of a security event and an 
identification of a system that detected a security event; and creating scope criteria by selecting 
one or more of the variables operable for analyzing and filtering security event data; as recited in 
amended independent Claim 16. 

In light of the differences between amended independent Claim 16 and the IBH reference, 
one of ordinary skill in the art recognizes thai the Hill reference fails to describe, teach, or 
suggest the recitations as set forth in amended independent Claim 16. Accordingly, 
reconsideration ami withdrawal of this rejection arc respectfully requested. 
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independent Claim 27 

The rejection of Claim 27 i$ respectfully traversed. It is respectfully submitted that the 
RiU reference fails to describe, teach, or suggest a system that includes: (1) h. plurality of 
security devices operable for generating security event data comprising a plurality of alerts; (2) 
an event manager coupled Lo the security devices, the event manager operable fur collecting 
security event data from the security devices and analyzing and filtering the security event data 
with scope criteria comprising one or mare defineable variables operable fur analyzing and 
filtering the security event data, the variables comprising at least one of a location of a security 
event, a source uP security event, a desliiiaiiun address uf Jie security event, a stxuiily event 
type, a priority of a security event, and an identification of a system that detected a security 
evert, and the event manager operable for applying tbe scope criteria to the security event data to 
produce result data; and (3) one or more clients coupled to the event manager operable to 
perform an action in response to receiving analyzed security event data fiom the event managei 
and displaying the result data comprising filtered alerts based on the scope criteria., aa recited in 
amended independent Claim 27. 

Similar to the analysis of independent Claim 1, the Hill reference fails to teach analyzing 
and filtering the security event data with scope criteria comprising one or more defineable 
variables operable for analyzing and filtering the security event data, the variables comprising at 
least one of a location of a security event, a source of security event, a destination address of the 
security event, a security event type, a priority of a security event, and an identification of a 
system that detected a security event, as recited m amended independent Claim 27. 

Tn light of thR differences between amended independent Claim 27 and the Hill reference, 
one of ordinary skill in the art recognizes that the Hill reference fails to describe, teach, or 
suggest the terjtatiom as set forth in amended independent Claim 27. Accordingly, 
reconsideration and withdrawal of this rejection ore respectfully requested 



pi- 
ll * -19- 

PAGE 2^27 s RCVD AT 9/14/2005 6:30:55 PM {Eastern Daylight Tone] * SVR:USPTO-EFXRF-6/30 s DH1S:2738300 * CSID:404 572 5145 s DURATION (mm-ss):14-24 



SEP 14 2005 18:46 FR KING ftND SPPLDING 404 572 5145 TO 3443H054568 1 0500 P. 25 



Serial No. 09/844,448 



x. :■ . 



'if r - 



Independent Claim 34 

The rejection of Claim 34 i3 respecttuliy traversed, it is respectfully submitted that the 
Hill reference fails tn describe, teach, nr suggest the: combination of: (1) generating a plurality of 
alerts with a plurality of security devices at a first location; (2) providing one or more variables 
operable for analyzing and filtering security event data, the variables comprising at least une of a 
location of a security event, a source of security event, a destination address of the security 
event a security event type, a priority of a security event, and an idcritidcaluiTi (if a system that 
detected a security event; (3) creating scope criteria by selecting one or more of the variables 
operable for analyzing and filtering security event data, the security event data comprising the 
plurality nf alerts; (4) collecting the security event data at a second location; (5) analyzing and 
filtering the collected security event data with the scope criteria at a third location to produce 
iesull data; (6) transmitting die result daLa to one or more clients; and (7) rendering the result 
data, in a manageable format tor the one or more clients, as recited in amended independent 
Claim 34. 

Similar to the analysis of independent Claim 1, the Hill reference fails to teach providing 
one or more variables operable for anajy^g and filtering security event data, the variables 
comprising at least one of a location of a security event, a source of security event a destination 
address of the security event a security even) type x a priority of a security event, and an 
identification of a system that detected a security event; and creating scope criteria by selecting 
one Or more of the variables operable for analyzing and filtering security event data, as recited in 
amended independent Claim 34. 

in light of the difierences between amended independent Claim 34 and the Hill reference, 
one of oidiuary skill in the art recognizes that the Hill reference fails to describe, teach, or 
suggest the recitations as set forth in amended independent Claim 34. Acowrdingly, 
reconsideration and withdrawal of this rejection are respectfully requested. 
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Independent Claim 49 

The rejection of Claim 49 is respectfully traversed, ft is respectfully submitted that die 
Hill reference fails to describe, teach, or suggest the combination ofr (1) generating security 
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event data with a plurality of security devices, the security event data comprising a plurality of 
alerts; (2) transferring the security event dala fur storage in a database; (3) applying a scope 
criteria comprising one or more defineable variables to the security event data ibr analyzing and 
filtering time security event data tu produce a result, ihc variables comprising at least one of a 
location of a security event, a source of security event, a destination address of the security 
event, a security evenL type, a priiirily nf a security event, and an identification of a system that 
detected a security event; (4) accessing the result with one or more clients coupled to an 
application server, and (5) displaying the result data comprising filtered ale it* based uu (he soupe 
criteria., as recited in amended independent Claim 49. 

Similar to the analysis of independent Claim 1, the Mill reference fails to teach applying a 
scope criteria comprising one or more defineable variables to the security event data for 
analyzing and filtering the security event data to produce a result, the variables enmprisbg at 
least one of a location of a security event, a source of security event, a destination address of the 
security event, u security event type, a priority of a security event, and an identifiratinn of a 
system lhal ileLerlHl a Kwurrity event, as recited in amended independent Claim 49. 

In light of the differences between amended independent Claim 49 and tlie Rill reference:, 
one of oidiiiary skill in ihe art recognizes that the Hill reference fails to describe, teach, or 
suggest the recitations as set forth in amended independent Claim 49. Accordingly, 
reconsidttaliuii and widulrawal of this rejection are respectfully requested. 

Dcnbndcnt Tlfti™* 9-1^ 17- 26. 28-33. 33^$. ami 50-59 

The Applicants respectfully submit that the above-identified dependent claims are 
allowable because the independent claims from which Ihey depend are patentable over the cited 
prior art reference. The Applicants also respectfully submit that the recitations of these 
dependent claims are of patentable significance. 

In view of the foregoing, the Applicants respectfully request that the Examiner withdraw 
the pending rejections of dependent Claims 2-15, 1 7-7.6, 28-33, 35-4$, and 50-59. 
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CONCLUSION 

Applicants submit the foregoing as a full and complete response to the Final Office 
Action dated Jime 14, 2005. The Applicants aud die undersized lhank Examiner Son for 
consideration of these remarks. Applicants submit that this Amendment places the application in 
condition for allowance and respectfully request such action. 

If any issues exist that can be resolved with on Examiner's Amendment or a telephone 
conference, please contact the undersigned at 404.572.4647. 



KING & SPALDING LLP 

191 Pcachtree Street, 45 th Flin>r 

Atlanta, Georgia 30303-1763 

(404)572-4600 

K&S Docket 05456.105005 



Respectfully submitted, 

Kerry L. Broome 
Reg. No. 54,004 
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